Cars can be hacked

The same networking systems that allow modern cars to communicate with services like OnStar also allow the cars to be hacked. Researchers from the University of Washington and the University of California, San Diego were able to take control of cars' computer systems—remotely forcing the vehicles to brake, shutting down the engines, and even disabling the brakes altogether. The team analyzed the security risks inherent in modern automobiles and published a paper explaining their findings. You can read it online. (Via Erin Biba)


  1. I like the use of the word “pwned” in an academic paper. It is displayed on the car’s speedometer after it was compromised.

  2. It’s important to note that in order to “remotely” take control of the cars, they first had to physically attach a device (in this case a laptop) to the on-board diagnostics port (inside the car).

  3. Flashing a car’s operating system can make it do bad things, and it’s possible to flash a car’s OS when you have physical access and equipment. Not exactly news, but if you’re living under a rock it’s time to crawl out from under!

  4. 1. The important point to note here is how vulnerable the internal networks of cars are. As these networks get more outside wireless access points, the attack surface against these networks will grow.

    2. Once they got onto the internal network, this paper read like a bad Stephen King novel. Randomly braking individual wheels or disabling the brakes, blaring the radio and making evil warning sounds, locking and unlocking the doors, making the instruments have crazy messages, causing the washer fluid to spray continuously…

  5. I was getting a little wound up about the fact that when I post short messages I drop letters and pick the adjacent work in the spell checker.

    Now I’m happy, have a look a the first word on the first paragraph, the PDF printer has dropped what I assume to be half of the first word! Adobe we love you, you are human unlike Apple!

  6. Now I have had a quick look at the document its very frightening. I’m going have to read it in full and test my brakes every 30 metres (50 feet or so).

    1. Talk about frightening, Graeme — your metres-feet conversion is off by a factor of two. And Maggie, your first sentence is a scaremongering stretch of the truth. The under-dash port is hardly the “same networking system” as OnStar.

  7. Were cars so difficult to drive in the past that we needed to add such a high level of computer control to basic functions? Seriously? What’s next, internet controls for your Colt 45?

    1. Yes, they were too difficult to drive.

      Would you rather share the road with the car at 0:31 or the car at 0:50?

    2. Antilock brakes, traction control, stability control, emissions controls, fuel injection, etc. All these things require computer control. (Actually, fuel injection can be done with mechanical controls, just not very well.)

      @BenSeese – actually, OnStar does depend upon the network that is accessed using the under-dash port. It may not use it to communicate to the OnStar mothership, but it uses it for all the diagnostics that enable the fun diagnostics and trouble-assist features. I.e. remotely unlocking the car, sensing an accident, etc. It uses the very same data that the underdash port makes available, over the same controller area network.

  8. I believe many cars will unlock the doors when airbags are deployed so if you can give an accelerometer a whack…

  9. A month or two ago a friend suggested that a GSM-to-OBDII adapter would be an interesting project…

  10. Great, I can see it now….I’ll be driving along in my OnStar equipt vehicle and someone will hack into the onboard computer resulting in a penis enlargement….wait a minute…..I foget, what was the downside of this???

  11. “[…] remotely forcing the vehicles to brake, shutting down the engines, and even disabling the brakes altogether.”


    The paper clearly states that the attackers had physical access to the car’s internal network via the wired diagnostic port for the entire duration of the attack. At no point were the attacks performed “remotely” unless you count running a cord out of the car door as remote. The paper does mention OnStar in a few places and notes that it is on the same bus, but that was not the attack vector. There was only a vague implication that it could be a potential risk.

  12. Doesn’t this go with the old network security adage, “if you can do it, so can anyone else”?

Comments are closed.